PwC Australia uses gamification to teach cyber security lessons

With the number of cyber incidents identified by Australian organisations more than doubling in the past year, PwC is using an online game to give enterprises first-hand experience of what it means to face a cyber attack

PwC recently introduced Game of Threats to its Australian clients to simulate what might happen in a real cyber attack.

Participants are split into two teams – attackers and responders – and points are awarded based on outcome. Generally the black hats win first time around, according to PwC partner Richard Bergman, but as the responders learn how to prepare for, react to and remedy a situation, they can claw back the lead.

Bergman, a partner in PwC’s cyber and forensics business, said the firm’s Game of Threats was gaining traction locally and had been played by around 80 board-level directors since its launch, with particular interest from finance sector businesses. He said that over two hours there was the chance to play three games either as a hacker or company employee responding to the threat, giving a better understanding of how to tackle the challenge in real life.

According to Bergman, the level of enterprise awareness about cyber risk “skyrocketed” in the last year, and PwC surveys had identified cyber risk as the number one threat for Australian CEOs. “Their concern is higher than the global average,” he pointed out.

Failure forecast

Gamification has had a bad press – Gartner famously forecast in 2012 that 80% of gamification projects would fail within two years. But it has carved out a strong use case in demonstrating the cyber security challenge to senior executives, and educating all levels of employees about what to do to avoid or respond to attacks.

The ability of online games to capture the imagination has been reinforced by the sight of adults as well as children scouring the planet for Pokemons. While KPMG gamification enthusiast Christian Gossan hesitates to conflate Pokemon Go’s success with enterprise gamification efforts, he said: “Games capture people’s imagination. Fads like Pokemon Go are amazing to watch – people love to be engaged.”

It does, however, set the bar a little higher on what it will take to engage people through enterprise gamification.

“If that’s what people are doing before they come into work, their engagement level is extraordinarily high,” said Gossan. Businesses are competing for engagement with our people. If you’re not doing it now, then every year you will step a little bit further back.”

According to Savvides, it is important for organisations to recognise there is no escape from the risk of cyber compromise. “Regardless of the investment in technology, process or people – it’s never enough,” he said.

But he added that the one area where people could make a difference was in preparedness to respond to breaches. He said that in the past cyber security training had been performed “as cheaply as possible for compliance purposes”, using checklists and multiple choice questionnaires to walk people through potential scenarios. “The metric was not whether the training was effective, but if people have done it.”

Ready for action

Savvides said that gamifying the process engaged people and provided them with useful response strategies should a real attack take place.

“It’s why there are military exercises – so troops understand how to respond in certain circumstances. Or like training in sport. The same applies in cyber – so people develop fast reflexes, know what to do and don’t panic.”

Gossan at KPMG believes that in the future elements of gamification will routinely be built into a wide range of applications.

He said this approach will be overt where consumers are encouraged to provide information through “play this game and win” campaigns, but will be more subtle in other situations. For example, where people are encouraged to fill in online applications and the design of the system rewards them with statements that they are “70% there” or “just one step away” from completion. “That’s where gamification gets embedded into processes.”

Enterprise gamification

The issue of enterprise gamification will be aired at the second Gamification Sydney event scheduled for November. The event will provide hands-on gamification workshops as well as enterprise and government case studies of how the technique has been used for engagement and learning.

Gossan will present at that conference. He led the development of an internal KPMG education system initially called The Game. Rolled out first in Australia, and then internationally, the system teaches new employees about the 150-odd different service offerings under the KPMG umbrella.

Now called Globerunner, the system encourages staff to learn about KPMG services, and as they do they earn points. Gossan said typically an employee would use the game for 10 to 15 minutes at a time and be able to get a good understanding of the top 50-60 services offered by KPMG.

At the same time there is a global leader board that displays users’ points that, he said, “adds a bit of sizzle”.

Recruitment gamified

KPMG is also using gamification in its graduate recruitment programme, which will this year help identify 400 new hires from 10,000 applicants. National manager for graduate talent acquisition Helen Bobbitt said the company uses the Australia-developed Revelian Theme Park Hero online game to test applicants’ problem-solving, decision-making, prioritisation and strategy skills. The game also tests mental agility, attention to detail, spatial ability and numerical capability, and is said to capture 10,000 data points in just 10 minutes of game time.

It’s that ability to capture and transmit information that makes gamified platforms particularly attractive for security training and education.

Symantec offers generic training using its CyberWar Games, but can also create a tailored programme that mirrors an enterprise’s real IT environment. According to Savvides, the approach can lead to responsibilities and budgets for cyber awareness being more broadly shared across the enterprise and not left purely to IT.

He said that often the costs of gamified cyber training are shared by HR and IT, or security and risk. But he noted that while the notion of gamified security training has a deal more traction than it did 18 months ago, it is still too low a priority in many organisations.

Start the conversation

0 comments

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.